Shulou(Shulou.com)06/01 Report--

Write at the front:

When learning the relevant contents of the honeypot, I came into contact with some English materials, and the translation of these English materials was posted on my personal blog. I hope my limited English proficiency can make a little contribution to you. If there is any improper translation, you can leave a message to correct it and make progress together.

Be a happy programmer, be a programmer who loves sharing.

Please do not worry about whether the use of a word or word is reasonable, but first to understand the main content of the paper.

The copyright of each article will be indicated at the end of the original article, please abide by it.

Tags: honeypot, cloud computing, IaaS

4.3 Evaluation

For the evaluation ofthe proposed architecture, we use a modified Xen 4.1.2 version and a hardwarenode with an Intel (R) Xeon (R) Quad CPU X3450 with 2.67 GHz and 4 GB of ram.

The Xen dom0 runs Ubuntu Linux 10.04 (i386) and kernel 3.0.013-generic-pae.

The domU guest VM runs Ubuntu Linux 11.10 (i386) with kernel 3.0.019genericpae.

Some version information that is running

4.3.1 Honeypot extraction procedure honeypot extractor

Since the snapshot only saves changes on the file p_w_picpath,thecreation process of a new lvm2 snapshot in our setup is very fast.

Since the snapshot is only saved on the file map, the creation process of setting up a new lvm2 snapshot is very fast.

First, the passwd and shadow files are replaced withmodified files that disable the opportunity to log in.

First, replace the passwd and shadow files by modifying the files in order to disable login.

Second, the web server data is removed and defined sectorsare blocked.

Second, the web server data is deleted and access to the defined sectors is blocked.

The sector blocking has minimal performance overhead.

The closed sector has the least performance overhead.

This was optimized using requests to a sorted list offorbidden sectors and a binary search algorithm.

The best choice is to use the forbidden sector sort list and binary tree search algorithm.

The time needed for the extraction is mostly influenced bythe live cloning process and the copy of the memory of the original VM (Table4).

The time required for extraction is mainly affected by the live cloning process and the memory copy of the original VM.

Since we deploy a honeypot only if needed and do not occupyprepared resources, these timings are good results.

Since we deploy a honeypot only when needed and do not take up preparation resources, these timings are good results.

These timings are measured during the original VM is at lowcapacity utilization.

These timings are measured when the original VM is at low capacity utilization.

Due to the live migration algorithm, the more memory pagesare modified during the copy procedure, the more copy iterations have to beperformed.If the VM is highly utilized, the live cloning procedure takes muchmore time.

Due to the real-time migration algorithm, more memory pages are modified and more replica iterations must be performed during the replication process. If the utilization of VM is high, the live cloning process takes more time.

In order to improve this, we modified the live migrationalgorithm of the Xen hypervisor to minimize performed copy iterations andmaximized amount of dirty memory pages which are directly copied.

To improve this situation, we modify the dynamic migration algorithm of the Xen hypervisor to minimize the number of replication iterations performed and maximize the number of direct copies of dirty memory pages.

This results in a constantly fast live cloning procedureeven if the VM is highly utilized.

As a result, if VM utilization is high, fast, live clones will continue to be made.

Disadvantage is that the honeypot VM is not fullysynchronized with the original VM, but this is acceptable for ourpurposes.Thereby, the extraction procedure stays constant in time.

The disadvantage is that the honeypot VM is not completely synchronized with the original VM, but this is acceptable for our purposes. Thus, the extraction process is kept at a constant time.

4.3.2 Monitoring of the deployed honeypot monitors deployed honeypots

The honeypot VM must be closely monitored in order torespond quickly to successful attacks.

Honeypot VM must be closely monitored to respond quickly to successful *.

If a successful attack on the honeypot has been detected, itmust be immediately terminated and no outgoing traffic should be able to leavein any way.

If successful honeypot technology has been detected, it must be terminated immediately, and no outgoing communication should be able to leave in any way.

Retrieving information using VMI and comparing 80 runningprocesses to the previous information retrieval step takes about 66 ±11 ms.

Using VMI and comparing the 80 running processes in the previous information retrieval steps, it takes about 66 ±11 milliseconds to retrieve information.

Retrieving information about 14 loaded kernel modules can beperformed in 54 ±7 ms in our setup.

In our setup, 14 loaded kernel modules can be retrieved within 54 ±7 ms.

Additionally, the controller can monitor files by examiningthe raw p_w_picpath file of the honeypot VM.

In addition, the controller can monitor the file by checking the original image file of the honeypot VM.

It can determine, if certain files are accessed or modified.

It can determine whether some files have been accessed or modified.

Table 5 shows the timings for retrieving information aboutsome files on a honeypot VM.

Table 5 shows the retrieval time of some files in some honeypot VM.

All in all, the honeypot controller can continuously monitorand compare every 250 ms the processes and modules of the running honeypot VMand check 12 files on the raw p_w_picpath snapshot for modifications.

Overall, the honeypot controller can continuously monitor, compare processes and modules running honeypot VM within 250ms each, and check for changes in the 12 original image snapshot files.

For your convenience, I will upload the total doc document to the network disk.

Baidu Wenku

51cto: http://down.51cto.com/data/1887779

Csdn

Baidu network disk:

Personal blog: http://fergusj.blog.51cto.com

Your support is the greatest motivation for the author to write!

If you like this article and feel rewarded after reading it, you might as well leave a message and like it, so that I have the motivation to continue to write a high-quality translation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.